Sears IT Practices Called Into Question - InformationWeek
Software // Information Management
05:50 PM
Connect Directly
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Sears IT Practices Called Into Question

A noted spyware researcher claims the retailer is installing online tracking software from ComScore without adequate consent and exposing its customers' purchase histories.

Sears' IT practices have come under fire from spyware researcher Benjamin Edelman, who alleges that Sears is installing online tracking software from ComScore without adequate consent and that Sears is exposing its customers' purchase histories in violation of its privacy policy.

In two reports published this week, Edelman, an assistant professor at the Harvard Business School and noted spyware researcher, said that Sears' installation of online tracking software from ComScore falls short of the standards established by the Federal Trade Commission.

"The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms," said Edelman in his Jan. 1 report. Sears Holding Co.'s "installation of comScore did nothing of the kind."

Benjamin Googins, a researcher at security company CA, leveled similar charges in December. " is distributing spyware that tracks all your Internet usage -- including banking logins, e-mail, and all other forms of Internet usage -- all in the name of 'community participation,' " he said in a blog post.

Sears Holding Co. VP Rob Harles disputed Googins' assertions in a lengthy rebuttal that stated in part, "With regard to informed consent, I strongly disagree with Mr. Googins' claims that there is a lack of informed consent relating to the members who have explicitly agreed to be tracked. My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation."

Edelman said he emphatically disagrees with Harles' assessment of Sears' practices.

In an e-mailed statement, a spokesperson for Sears echoed Harles. "The My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation," the spokesperson said. "Clear notice appears in the invitation. It also appears on the first signup page, in the privacy policy, and user licensing agreement. We provide additional notice of the tracking feature in the form of a welcome e-mail that is sent to everyone after they become a member."

In a report published Friday, Edelman demonstrated how Sears' Manage My Home site allows anyone to view what Sears customers have purchased. "Sears offers no security whatsoever to prevent a Manage My Home user from retrieving another person's purchase history by entering that person's name, phone number, and address," he said, noting that this violates the company's privacy policy.

Edelman concedes that Sears' Manage My Home site offers some useful services but chides Sears' IT staff for not recognizing the need to authenticate users following their decision to make purchase data available online.

"Did Sears's staff fail to notice the problem?" Edelman asked. "Decide to ignore it when they couldn't devise an easy solution to protect users' purchase histories? Resolve to argue that purchase history merits no better protection than the current system provides?"

In fact, Sears has noticed the problem. "We take our customers' privacy concerns very seriously," the company said in an e-mailed statement. "As a result, we have turned off the ability to view a customer's purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll